I repurposed an old laptop that wasn’t running very well by taking the guts out of it and stuffing it into an old 1U server chassis and installed Proxmox on bare metal.

Currently running a HAOS VM, Docker in an LXC, and I’m in the process of trying to set up WireGuard in an LXC.

I honestly can’t remember the exact specs of the laptop, but it’s very old, and with what I’m currently running I’ve still got tons of overhead left.

I do have a monitor/kbm plugged into it and I’m running XFCE just incase I want to check on something locally while I’m downstairs, but generally the monitor is turned off (in case the power goes out, it won’t be an unnecessary drain on my UPS) and I just ssh in or use one of the Web-GUI’s, depending on the service I’m working on at the time.

You could run the reverse proxy on your VPS

This may be the way I need to do it, unfortunately (it seems a fair bit more complicated for someone with pretty limited knowledge on this kind of networking).

Ideally I’d like to use your second approach, with CF Tunnels (something I’ve looked into a bit in the past), but from what I understand, I’d run the risk of violating their TOS and being blocked if too much video passes through their server, which is fairly likely to happen when running a service like Emby through CF.

Thanks! Those are great tips, and definitely sound like the type of thing I’m looking for, and I’m sure I’d have no problem setting them up, aside from one issue:

My main concern, is using these services while behind CG-NAT; currently the only way I know how to access my network from outside at all is to go through my VPS using OpenVPN clients, since I don’t have a public IP.

I’d ideally like to do away with the VPN entirely, so I don’t need to set up client apps to give new devices access, but adding the extra layer of CG-NAT on top of those services makes this all more confusing for me, since most of the information I’ve found online doesn’t involve CG-NAT.